[
https://issues.apache.org/jira/browse/DIRSERVER-1830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13649867#comment-13649867
]
Emmanuel Lecharny commented on DIRSERVER-1830:
----------------------------------------------
Here are the two places where we use the pwdMaxIdle :
bind :
if ( policyConfig.getPwdMaxIdle() > 0 )
{
Attribute pwdLastSuccesTimeAt = new DefaultAttribute(
AT_PWD_LAST_SUCCESS );
pwdLastSuccesTimeAt.add( DateUtils.getGeneralizedTime() );
Modification pwdLastSuccesTimeMod = new DefaultModification(
REPLACE_ATTRIBUTE, pwdLastSuccesTimeAt );
mods.add( pwdLastSuccesTimeMod );
}
We get the date the password was last modified, we update it with the current
date. No check here.
and in the checkPwdPolicy method, which is called when we lookup the password :
if ( pPolicyConfig.getPwdMaxIdle() > 0 )
{
Attribute pwdLastSuccessTimeAttr = userEntry.get(
PWD_LAST_SUCCESS_AT );
// Let's be sure that the user has already logged in
if ( pwdLastSuccessTimeAttr != null )
{
long time = pPolicyConfig.getPwdMaxIdle() * 1000L;
time += DateUtils.getDate( pwdLastSuccessTimeAttr.getString()
).getTime();
if ( System.currentTimeMillis() >= time )
{
throw new PasswordPolicyException(
"account locked due to the max idle time of the
password was exceeded",
ACCOUNT_LOCKED.getValue() );
}
}
}
Here, we get the time the user successfully authenticated, we add the
pwdMaxIdle time to it and we compare this date with the current date.
I don't see anything that would forbid an authentication :/
Can you setup the logs on the server in debug mode ?
> when ads-pwdMaxIdle > 0 no more authentication possible
> -------------------------------------------------------
>
> Key: DIRSERVER-1830
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1830
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap
> Affects Versions: 2.0.0-M11
> Environment: CentOS
> Reporter: Michael Witzel
>
> when I configure ads-pwdMaxIdle > 0 no authentication is possible, neither
> with admin, nor with other users
> Eclipse Studio:
> Fehler beim Öffnen der Verbindung
> - [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot
> authenticate user uid=admin,ou=system]
> java.lang.Exception: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed:
> ERR_229 Cannot authenticate user uid=admin,ou=system]
> at
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkResponse(DirectoryApiConnectionWrapper.java:1279)
> at
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$600(DirectoryApiConnectionWrapper.java:109)
> at
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:450)
> at
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1174)
> at
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:459)
> at
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:307)
> at
> org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
> at
> org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
> at org.eclipse.core.internal.jobs.Worker.run(Worker.java:53)
> [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot
> authenticate user uid=admin,ou=system]
> wrapper.log
> INFO | jvm 1 | 2013/04/18 14:24:06 | [14:24:06] ERROR
> [org.apache.directory.server.ldap.handlers.request.UnbindRequestHandler] -
> ERR_169 failed to unbind session properly
> INFO | jvm 1 | 2013/04/18 14:24:06 |
> org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException:
> ERR_268 Cannot find a partition for
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.getPartition(DefaultPartitionNexus.java:927)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.unbind(DefaultPartitionNexus.java:794)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor$1.unbind(BaseInterceptor.java:266)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:690)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.directory.server.core.authn.AuthenticationInterceptor.unbind(AuthenticationInterceptor.java:1159)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.directory.server.core.DefaultOperationManager.unbind(DefaultOperationManager.java:1230)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.directory.server.core.shared.DefaultCoreSession.unbind(DefaultCoreSession.java:1073)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.directory.server.ldap.handlers.request.UnbindRequestHandler.handle(UnbindRequestHandler.java:50)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.directory.server.ldap.handlers.request.UnbindRequestHandler.handle(UnbindRequestHandler.java:38)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:219)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:474)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:428)
> INFO | jvm 1 | 2013/04/18 14:24:06 | at
> java.lang.Thread.run(Thread.java:662)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
